Target IP: 192.168.250.28
Challenge Description: N/A.
Performing a port scan shows there are two TCP ports open on the target machine: SSH and HTTP, as shown above.
Performing an aggressive port scan against the two open TCP ports returns the result above. I will start enumeration with the HTTP application on port 80.
Port 80: HTTP
The webpage above is displayed for this web application. It seems to be powered by PluXml. There is one article created by the user admin, as shown above.
I performed a source-code review and found the interesting information above. Is the application version 5.8.7?
I also found the location of the administration panel at http://192.168.250.28/core/admin through the source-code.
Doing a Google search for the default credentials of this application returns it is admin:admin. And using this, I gained access to the web application as the admin user as shown above. Also, the version of the application is 5.8.7!
I notice the static pages are the webpages that can be modified as the admin user. Maybe I can create a PHP file with a webshell? In the image above, I created a new static page called shell. I also changed the Active dropdown to Yes. Underneath the Action label, I can press the Edit button to modify the page.
In the image above, I started off with a basic PHP code to see the output of whoami. I want to see if the web application executes the command or not.
And bingo! The web application executed the command and output the hostname www-data when I viewed the Shell static page I created. Time to obtain a reverse shell connection now.
I inserted PHP Pentest Monkey reverse shell script inside the Shell static page I created. After doing this, I started a listener on my machine at port 8443 for the reverse shell connection.
Nice! I browsed to http://192.168.250.28/index.php?static2/shell and got a reverse shell connection on my machine at port 8443 with the session as the user www-data as shown above. Now I have a foothold on the target machine.
I transferred Linpeas to the target machine and executed it. It found interesting binaries such as write.ul and exim4 with SUID bit set, but I had no luck trying to escalate privileges to root using these. I notice there are a few mail applications on the target machine.
I executed the command mail and there is an email left by the user administrator which contains the credentials of the user root, as shown above. This email talks about DDoS attack and it contains the password 6s8kaZZNaZZYBMfh2YEW of the user root.
Using su and this new password, I managed to successfully switch user to root as shown above. Now I have a root access on the target machine :)
The local.txt flag is shown above.
The proof.txt flag is shown above.